WO2022232042A1 - Decentralized multi-authority attribute-based encryption with fully adaptive security - Google Patents

Decentralized multi-authority attribute-based encryption with fully adaptive security Download PDF

Info

Publication number
WO2022232042A1
WO2022232042A1 PCT/US2022/026173 US2022026173W WO2022232042A1 WO 2022232042 A1 WO2022232042 A1 WO 2022232042A1 US 2022026173 W US2022026173 W US 2022026173W WO 2022232042 A1 WO2022232042 A1 WO 2022232042A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
authority
computerized
authorities
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2022/026173
Other languages
English (en)
French (fr)
Inventor
Pratish DATTA
Ilan KOMARGODSKI
Brent Waters
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NTT Research Inc
Original Assignee
NTT Research Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NTT Research Inc filed Critical NTT Research Inc
Priority to US18/288,379 priority Critical patent/US12489627B2/en
Priority to JP2023565325A priority patent/JP2024514711A/ja
Publication of WO2022232042A1 publication Critical patent/WO2022232042A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present disclosure relates to multi-authority attribute-based encryption schemes that are provably fu!ly-adaptively secure, specifically, secure against an attacker that may corrupt some of the authorities as well as perform key queries adaptively throughout the life-time of the system.
  • Attribute-based encryption (ABE) schemes allow fine-grained access control when accessing encrypted data: Such encryption schemes support decryption keys that allow users that have certain credentials (or attributes) to decrypt certain messages without leaking any additional information. Over the years, the challenge of designing ABE schemes has received tremendous attention resulting in a long sequence of works achieving various trade-offs between expressiveness, efficiency, security, and underlying assumptions.
  • Attribute-based encryption is a generalization of traditional public-key encryption that offers fine-grained access control over encrypted data based on the credentials (or attributes) of the recipients.
  • ABE comes in two avatars: ciphertext-policy and key-policy,
  • ciphertext-policy ABE CP — ABE
  • keys are associated with attributes.
  • KP key-policy ABE
  • the roles of the attribute sets and the access policies are flipped, i.e., ciphertexts are associated with attributes and keys are associated with access policies. In both cases, decryption is possible only when the attributes satisfy the access policy.
  • Multi-Authority Attribute-Based Encryption In ABE schemes, restricted decryption keys can only be generated and issued by a central authority who possesses the master secret key. Chase introduced the notion of multi-authority ABE (MA — ABE) which allows multiple parties to play the role of an authority. More precisely, in an MA — ABE, there are multiple authorities which control different attributes and each of them can issue secret keys to users possessing attributes under their control without any interaction with the other authorities in the system. Given a ciphertext generated with respect to some access policy, a user possessing a set of attributes satisfying the access policy can decrypt the ciphertext by pulling the individual secret keys it obtained from the various authorities controlling those attributes
  • Decentralized multi-authority attribute-based encryption (MA ---- ABE) is a distributed generalization of standard (ciphertext-policy) attribute-based encryption where there is no trusted central authority: any party can become an authority and issue private keys, and there is no requirement for any global coordination other than the creation of an initial set of common reference parameters.
  • Some embodiments of the invention include systems, methods, network devices, and machine-readable media for encrypting a message according to a multi-authority attribute-based encryption scheme, the system comprising a processor configured for: receiving an electronic message m comprising rn, bits for encryption; storing the electronic message in a computerized storage media; executing a global setup algorithm to generate global parameters by generating a group G; sampling g and h as two generators of G; sampling seed for a seeded extractor; executing an authority setup algorithm to generate a public and secret key pair by: sampling two exponents y A and y b ; setting a public key to be ; setting a secret key to be ⁇ y A and u b ); executing an encryption algorithm for the message m and an access policy M, by: sampling s, r A , r b computing: m xor Ext (e(g, h), seed) ; storing as the encrypted message in a computerized storage media; and executing
  • any party can join as an authority at any point in time and there is no limit to the number of authorities
  • the method is fully adaptively secure.
  • the method is provably fully adaptively secure, such that it is secure against an attacker that may corrupt some of the authorities as well as perform key queries adaptively throughout the lifetime of the system, in some further embodiments, the adversary does not hold enough secret keys or authority master keys to decrypt a message that is encrypted with respect to the access structure.
  • the computerized processor is further configured to decrypt the message by: storing the message encrypted according to an attribute-based encryption scheme in a computerized storage media; executing a decryption algorithm, by: receiving a key comprising components generated as and a ciphertext computing ; and outputting
  • Fig. 1 illustrates an example system architecture for a decentralized multi-authority attribute-based encryption scheme.
  • Fig. 2 illustrates an example sequence diagram for a decentralized multi-authority attribute-based encryption scheme.
  • FIG. 3 illustrates an example computer system architecture for implementing the claimed systems and methods.
  • Fig. 4 illustrates further details of an example computer system architecture for implementing the claimed systems and methods.
  • the GlobalSetup procedure gets as input the security parameter (in unary encoding) and outputs global public parameters. All of the other procedures depend on these global parameters [we may sometimes not mention them explicitly when they are clear from context).
  • the AuthSetup procedure can be executed by any authority to generate a corresponding public and master secret key pair, (PK u , MSK u ). An authority holding the master secret key MSK u can then generate a secret key for a user with global identifier GID.
  • a user holding a set of secret keys ⁇ SK GID ,u ⁇ can decrypt a given ciphertext CT if and only if the attributes corresponding to the secret it possesses "satisfy" the access structure with which the ciphertext was generated, if the MA — ABE scheme is built in the random oracle model as is the case in this paper and in all previous collusion resistant MA — ABE schemes, the existence of a public hash function H mapping the global identifiers in to some appropriate space is considered. This hash function H is generated by Global Setup and is modeled as a random oracle in the security proof. [032] Fully Adaptive Security
  • Global Setup The challenger runs Global Setup to generate global public parameters.
  • Query Phase i The attacker is allowed to adaptively make a polynomial number of queries of the following form:
  • Authority Setup Query the challenger runs AuthSetup to create a public/master key pair for an authority specified by the adversary.
  • Query Phase 2 Same as in Query Phase 1 (while making sure that the constraint from the challenge phase is not violated).
  • ABE As in any ABE scheme, the challenge in MA --- ABE is to make it collusion resistant.
  • ABE schemes achieve collusion resistance by using the system's authority who knows a master secret key to "tie" together different key components representing the different attributes of a user with the help of fresh randomness specific to that user. Such randomization would make the different key components of a user compatible with each other, but not with the parts of a key issued to another user.
  • a critical feature is that any step that relies on the attacker's keys not satisfying the access structure will be an information theoretic argument and thus sidesteps any problems revolving around guessing which authorities are corrupted. (There will of course be multiple computational arguments between and setting up the information theoretic ones.)
  • a similar bigb-ievel approach of using information regarding what the adversary corrupts only in information theoretic arguments was used in few previous dual system proofs, but here we are able to implement the technique in the (more challenging) distributed setting and enfolding corrupted authorities.
  • the encryption algorithm blinds the message msg with the term where s is a random element in 3 ⁇ 4.
  • the goal in the security proof is to show that given the view of the adversary there is enough entropy left in so that the message is indeed hidden.
  • the decryptor recovers by appropriately pairing their keys for attributes and ciphertext components, if the user holds sufficient secret keys to decrypt a ciphertext, the two terms can be used to recover which, if multiplied, give the blinding factor , as necessary.
  • [057] It first chooses a random value V . it then uses the LSSS access policy (M, p) to generate a secret sharing of s where a A x will be the share for al where is a random vector with s as its first entry and M x is the row of M.
  • the access policy ( M,p ) is of the form The function p associates rows of M to authorities. We assume that p is an injective function, that is, an authority/attribute is associated with at most one row of M.
  • the procedure generates the ciphertext as follows: For each row it chooses random and outputs the ciphertext where
  • This framework shows how to simulate a composite order group and its subgroups using a prime order group while guaranteeing a prime order analogue of various subgroup decision style assumptions. These analogues follow from the standard k- Linear assumption (and more generally, the MDDH assumption).
  • the proof of security of our prime order construction relies not only on subgroup decision style assumptions but also on few information theoretic arguments as well as on the security of a random oracle.
  • Using the framework and making it work on our scheme is fairly technical and systematic; we refer to the technical section for details. Nevertheless, we point out that the high level idea as well as the sequence of hybrids is the same as in the composite order case.
  • a function is negligible if it is asymptotically smaller than any inverse- polynomial function, namely, for every constant there exists an Integer N c such that negl for all We let
  • NC 1 and Monotone LSSS Remark (NC 1 and Monotone LSSS): Consider an access structure A described by an NC 1 circuit. There is a folklore transformation that converts this circuit to a Boolean formula of logarithmic depth that consists of (fan-in 2) AMD, OR, and (fan-in 1) MOT gates. We can further push the MOT gates to the leaves using De Morgan laws, and assume that internal nodes only constitute of OR and AMD gates and leaves are labeled either by attributes or by their negations, in other words, we can represent any NC 1 policy over a set of attributes into one described by a monotone Boolean formula of logarithmic depth over the same attributes together with their negations. Lewko and Waters presented a monotone LSSS for access structures described by monotone Boolean formulas. This implies that any NC 1 access policy can be captured by a monotone LSSS.
  • GIobalSetup(l ⁇ ) GP The global setup algorithm takes in the security parameter l in unary representation and outputs the global public parameters GP for the system.
  • GP includes the descriptions of the universe of attribute authorities and universe of the global identifiers of the users . Note that both and are given by ⁇ 0,1 ⁇ ⁇ in case there is no bound on the number of authorities and users in the system.
  • AuthSetup The authority calls the authority setup algorithm during its initialization with the global parameters GP as input and receives back its public and master secret key pair PK u , MSK u .
  • the key generation algorithm takes as input the global parameters GP, a user's global identifier and a master secret key MSK chunk of an authority It outputs a secret key for the user.
  • Enc(GP, msg) The encryption algorithm takes in the global parameters GP, a message an LSSS access policy (M,p) such that M is a matrix over and p is a row-labeling function that assigns to each row of M an attribute/authority in , and the set of public keys for all the authorities in the range of p. It outputs a ciphertext CT. We assume that the ciphertext implicitly contains (M, p).
  • the decryption algorithm takes in the global parameters GP, a ciphertext CT generated with respect to some LSSS access policy ( M,p ), and a collection of keys corresponding to user ID-attribute pairs possessed by a user with global identifier GID. It outputs a message msg' when the collection of attributes associated with the secret keys ⁇ satisfies the LSSS access policy (M, p ), i.e., when the vector (1,0, ... ,0) is contained in the linear span of those rows of M which are mapped by p to some attribute/authority such that the secret key is possessed by the user with global identifier GID. Otherwise, decryption fails.
  • Query Phase 1 The atacker is allowed to adaptively make a polynomial number of queries of the following types:
  • Authority Setup Queries The atacker request to set up an authority of its choice, if an authority setup query for the same authority u has already been queried before, the challenger aborts. Otherwise, the challenger runs AutbSetup to create a public/master key pair (PK u , MSK u ) for the authority u. The challenger provides PK u to the atacker and stores (PK u , MSK u ). Note that the challenger does not return the generated public/master key pair to the attacker.
  • the attacker makes a secret key query by submitting a pair (GiD, u) to the challenger, where is a giobal identifier and u e ⁇ A ⁇ I is an attribute authority, if an authority setup query for the authority u has not been made already, the challenger aborts. Otherwise, the challenger runs KeyGen using the public/master key pair it already created in response to authority setup query for u and generates a secret key . The challenger provides to the attacker.
  • Authority Master Key Queries The attacker requests the master secret key of an authority u £ ⁇ AV. to the challenger. If an authority setup query for the authority u has not been made previously, the challenger aborts. Otherwise, the challenger provides the attacker the master secret key MSK u for the authority u it created in response to the authority setup query for u.
  • the attacker submits two messages, msg 0 , msg 3 e M and an LSSS access structure (M,p).
  • the attacker also submits the public keys ⁇ PK u ⁇ for a subset of attribute authorities appearing in the LSSS access structure ( M , p).
  • the authority public keys ⁇ PK u ⁇ supplied by the attacker can potentially be malformed, i.e., can fall outside the range of AuthSetup.
  • the LSSS access structure ( M,p ) and the authority public keys ⁇ PK u ⁇ must satisfy the following constraints.
  • the challenger flips a random coin b and generates a ciphertext CT by running the Enc algorithm that encrypts msg b under the access structure ( M,p).
  • ( M,r ) to generate a secret sharing of s where s A c will be the share for all i.e, for ail where is a random vector with s as its first entry and M x is the row of M. It additionally creates another secret sharing of — s with respect to the LSSS access policy ( M,p ) where is the corresponding share for for all is a random vector with as its first entry.
  • the procedure generates the ciphertext as follows: For each row x it chooses random r A x ,r B x z N and outputs the ciphertext
  • Prime Order Bilinear Groups Let be three multiplicative cyclic groups of prime order where the group operations are efficiently computable in the security parameter A and there is no isomorphism between £ 3 ⁇ 4 and £1 ⁇ 2 that can be computed efficiently in A. Let be generators of i respectively and be an efficiently computable pairing function that satisfies the following properties:
  • KeyGen(GP, GiD, MSK m ) The key generation algorithm takes as input the global parameters GP, the user's global identifier Q , and the authority's master secret key MSK u . it generates a secret key / for GID as where [123] : Decryption takes as input the global parameters GP, a ciphertext CT for an LSSS access structure ( ,p) p [ ] injective, the user's global identifier and the secret keys corresponding to a subset of rows of M with indices is not in the span of these rows, M u then decryption fails. Otherwise, the decryptor finds [
  • Arbitrary data may be stored in Cloud 201.
  • Data Owner 202 may have caused the data to be uploaded to the cloud.
  • User 203 may wish to obtain the data from the Cloud 201.
  • User 203 may initially view file details and request a key from Authority 204. While only a single Authority 204 is illustrated here, multiple authorities can be instantiated and the user may be in communication with multiple of the authorities.
  • Computer system 500 may also include user input/output device(s) 503, such as monitors, keyboards, pointing devices, etc., which may communicate with communication infrastructure 506 through user input/output interface(s) 502.
  • processors 504 may be a graphics processing unit (GPU).
  • a GPU may be a processor that is a specialized electronic circuit designed to process mathematically intensive applications.
  • the GPU may have a parallel structure that is efficient for parallel processing of large blocks of data, such as mathematically intensive data common to computer graphics applications, images, videos, etc.
  • Computer system 500 may also include a main memory 508, such as random-access memory (RAM).
  • Main memory 508 may include one or more levels of cache. Main memory 508 may have stored therein control logic (i.e., computer software, instructions, etc.) and/or data.
  • Computer system 500 may also include one or more secondary storage devices or secondary memory 510. Secondary memory 510 may include, for example, a hard disk drive 512 and/or a removable storage device or removable storage drive 514.
  • Removable storage drive 514 may interact with a removable storage unit 518.
  • Removable storage unit 518 may include a computer-usable or readable storage device having stored thereon computer software (control logic) and/or data. Removable storage drive 514 may read from and/or write to removable storage unit 518.
  • Secondary memory 510 may include other means, devices, components, instrumentalities, or other approaches for allowing computer programs and/or other instructions and/or data to be accessed by computer system 500.
  • Such means, devices, components, instrumentalities, or other approaches may include, for example, a removable storage unit 522 and an interface 520.
  • Examples of the removable storage unit 522 and the interface 520 may include a program cartridge and cartridge interface, a removable memory chip (such as an EPROM or PROM) and associated socket, a memory stick and USB port, a memory card and associated memory card slot, and/or any other removable storage unit and associated interface.
  • Computer system 500 may further include communications interface 524 [e.g., network interface).
  • Communications interface 524 may enable computer system 500 to communicate and interact with any combination of external devices, external networks, externa! entities, etc. (individually and collectively referenced as remote device(s), network(s), entity(ies) 528).
  • communications interface 524 may allow computer system 500 to communicate with external or remote device(s), network(s), entlty(les) 528 over communications path 526, which may be wired and/or wireless (or a combination thereof), and which may include any combination of LANs, WANs, the Internet, etc. Control logic and/or data may be transmitted to and from computer system 500 via communications path 526.
  • the machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, a specialized application or network security appliance or device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • PC personal computer
  • PDA Personal Digital Assistant
  • STB set-top box
  • a cellular telephone a web appliance
  • server a network router, a switch or bridge, a specialized application or network security appliance or device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • the term "machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
  • the example computer system 900 includes a processing device 902, a main memory 904 (e.g., read-only memory (ROM), flash memory, dynamic random-access memory (DRAM) such as synchronous DRAM (SDRAM), etc.), a static memory 906 (e.g., flash memory, static random-access memory (SRAM), etc.), and a data storage device 918, which communicate with each other via a bus 930.
  • main memory 904 e.g., read-only memory (ROM), flash memory, dynamic random-access memory (DRAM) such as synchronous DRAM (SDRAM), etc.
  • DRAM dynamic random-access memory
  • SDRAM synchronous DRAM
  • static memory 906 e.g., flash memory, static random-access memory (SRAM), etc.
  • SRAM static random-access memory
  • Processing device 902 represents one or more processing devices such as a microprocessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CiSC) microprocessor, reduced instruction set computing (RiSC) microprocessor, very long instruction word (VLIVV) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 902 may also be one or more special-purpose processing devices such as an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 902 is configured to execute instructions 926 for performing the operations and steps discussed herein.
  • ASIC application-specific integrated circuit
  • FPGA field-programmable gate array
  • DSP digital signal processor
  • machine-readable storage medium 924 is shown in an example implementation to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g,, a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions 926.
  • the term “machine-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions 926 for execution by the machine and that cause the machine to perform any one or more of the operations of the present disclosure.
  • the term “machine- readable storage medium” shall accordingly be taken to include, but not be limited to, solid- state memories, optical media, and magnetic media.
  • This apparatus may be specially constructed for the intended purposes, or if may comprise a computer selectively activated or reconfigured by a computer program stored in the computer.
  • a computer program may be stored in a computer-readable storage medium, such as but not limited to, any type of disk including floppy disks, optical disks, CD- ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.
  • a tangible, non-transitory apparatus or article of manufacture comprising a tangible, non-transitory computer useable or readable medium having control logic (software) stored thereon may also be referred to herein as a computer program product or program storage device.
  • control logic software stored thereon
  • control logic when executed by one or more data processing devices (such as computer system 500), may cause such data processing devices to operate as described herein.
  • Coupled can also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
PCT/US2022/026173 2021-04-26 2022-04-25 Decentralized multi-authority attribute-based encryption with fully adaptive security Ceased WO2022232042A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US18/288,379 US12489627B2 (en) 2021-04-26 2022-04-25 Decentralized multi-authority attribute-based encryption with fully adaptive security
JP2023565325A JP2024514711A (ja) 2021-04-26 2022-04-25 完全適応型セキュリティを有する分散型マルチオーソリティの属性ベース暗号化

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202163179862P 2021-04-26 2021-04-26
US63/179,862 2021-04-26

Publications (1)

Publication Number Publication Date
WO2022232042A1 true WO2022232042A1 (en) 2022-11-03

Family

ID=83846514

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2022/026173 Ceased WO2022232042A1 (en) 2021-04-26 2022-04-25 Decentralized multi-authority attribute-based encryption with fully adaptive security

Country Status (3)

Country Link
US (1) US12489627B2 (https=)
JP (1) JP2024514711A (https=)
WO (1) WO2022232042A1 (https=)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115664685A (zh) * 2022-12-27 2023-01-31 北京邮电大学 一种基于属性加密的链上数据访问控制方法及装置
CN116204923A (zh) * 2023-03-08 2023-06-02 中国工商银行股份有限公司 数据管理、数据查询方法及装置
WO2024151871A1 (en) * 2023-01-11 2024-07-18 Ntt Research, Inc. Decentralized multi-authority attribute-based encryption for large universe and unbounded
CN120281580A (zh) * 2025-06-09 2025-07-08 长江三峡集团实业发展(北京)有限公司 一种支持协作解密的lsss访问结构构造方法及装置

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100185861A1 (en) * 2009-01-19 2010-07-22 Microsoft Corporation Anonymous key issuing for attribute-based encryption
US20130339754A1 (en) * 2011-03-25 2013-12-19 Nippon Telegraph And Telephone Corporation Cryptographic processing system, key generation device, encryption device, decryption device, cryptographic processing method, and cryptographic processing program
US9209974B1 (en) * 2015-05-03 2015-12-08 Zeutro, Llc Functional encryption key management
US20180054301A1 (en) * 2016-08-19 2018-02-22 King Fahd University Of Petroleum And Minerals Method and device for data encryption
US20190230094A1 (en) * 2016-07-28 2019-07-25 Koninklijke Philips N.V. Identifying a network node to which data will be replicated
US20200336292A1 (en) * 2019-04-16 2020-10-22 NEC Laboratories Europe GmbH Method and system for multi-authority controlled functional encryption

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8516244B2 (en) * 2011-06-10 2013-08-20 Zeutro Llc System, apparatus and method for decentralizing attribute-based encryption information
JP6096782B2 (ja) * 2011-09-28 2017-03-15 コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. 階層的属性ベースの暗号化及び復号
US9800555B2 (en) * 2012-08-17 2017-10-24 Koninklijke Philips N.V. Attribute-based encryption
US9894043B2 (en) * 2015-09-30 2018-02-13 Raytheon Bbn Technologies Corp. Cryptographically secure cross-domain information sharing
US20180176015A1 (en) * 2016-12-16 2018-06-21 Yongge Wang Method and Apparatus for Public Key Encryption Scheme RLCE and IND-CCA2 Security
CN112104455A (zh) * 2020-08-12 2020-12-18 福建师范大学 一种多授权机构加密方法及系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100185861A1 (en) * 2009-01-19 2010-07-22 Microsoft Corporation Anonymous key issuing for attribute-based encryption
US20130339754A1 (en) * 2011-03-25 2013-12-19 Nippon Telegraph And Telephone Corporation Cryptographic processing system, key generation device, encryption device, decryption device, cryptographic processing method, and cryptographic processing program
US9209974B1 (en) * 2015-05-03 2015-12-08 Zeutro, Llc Functional encryption key management
US20190230094A1 (en) * 2016-07-28 2019-07-25 Koninklijke Philips N.V. Identifying a network node to which data will be replicated
US20180054301A1 (en) * 2016-08-19 2018-02-22 King Fahd University Of Petroleum And Minerals Method and device for data encryption
US20200336292A1 (en) * 2019-04-16 2020-10-22 NEC Laboratories Europe GmbH Method and system for multi-authority controlled functional encryption

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SHYNU P.G., SINGH K. JOHN: "Privacy preserving secret key extraction protocol for multi-authority attribute-based encryption techniques in cloud computing", INTERNATIONAL JOURNAL OF EMBEDDED SYSTEMS, INTERSCIENCE PUBLISHERS, OLNEY, GB, vol. 10, no. 4, 1 January 2018 (2018-01-01), GB , pages 287 - 300, XP093003822, ISSN: 1741-1068, DOI: 10.1504/IJES.2018.10014925 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115664685A (zh) * 2022-12-27 2023-01-31 北京邮电大学 一种基于属性加密的链上数据访问控制方法及装置
CN115664685B (zh) * 2022-12-27 2023-03-21 北京邮电大学 一种基于属性加密的链上数据访问控制方法及装置
WO2024151871A1 (en) * 2023-01-11 2024-07-18 Ntt Research, Inc. Decentralized multi-authority attribute-based encryption for large universe and unbounded
CN116204923A (zh) * 2023-03-08 2023-06-02 中国工商银行股份有限公司 数据管理、数据查询方法及装置
CN120281580A (zh) * 2025-06-09 2025-07-08 长江三峡集团实业发展(北京)有限公司 一种支持协作解密的lsss访问结构构造方法及装置

Also Published As

Publication number Publication date
US20240283647A1 (en) 2024-08-22
JP2024514711A (ja) 2024-04-02
US12489627B2 (en) 2025-12-02

Similar Documents

Publication Publication Date Title
Miao et al. Secure multi-server-aided data deduplication in cloud computing
US9882717B2 (en) System and method for generating a server-assisted strong password from a weak secret
Abadi et al. Message-locked encryption for lock-dependent messages
Wang et al. Attribute-based data sharing scheme revisited in cloud computing
US12489627B2 (en) Decentralized multi-authority attribute-based encryption with fully adaptive security
CN109246098B (zh) 一种支持备份服务器同步密文比较的方法
Yuan et al. DedupDUM: Secure and scalable data deduplication with dynamic user management
WO2018211446A1 (en) Cryptographic key-generation with application to data deduplication
Ying et al. Adaptively secure ciphertext-policy attribute-based encryption with dynamic policy updating
EP3375129A1 (en) Method for re-keying an encrypted data file
Garg et al. Comparative analysis of cloud data integrity auditing protocols
Yi et al. Efficient integrity verification of replicated data in cloud computing system
Emura et al. Identity-based encryption with security against the KGC: a formal model and its instantiation from lattices
Hur et al. Removing escrow from ciphertext policy attribute-based encryption
WO2022076327A1 (en) Decentralized multi-authority attribute-based encryption
Sandhia et al. Secure sharing of data in cloud using MA-CPABE with elliptic curve cryptography
US12375286B2 (en) Decentralized multi-authority attribute-based encryption from bilinear diffie-hellman assumptions
Li et al. Provably secure unbounded multi‐authority ciphertext‐policy attribute‐based encryption
CN114020842A (zh) 一种基于同态加密技术的数据共享方法及装置
CN109743327B (zh) 基于无证书的云存储中共享数据的完整性公开验证方法
Abo-Alian et al. Auditing-as-a-service for cloud storage
Thangavel et al. An analysis of privacy preservation schemes in cloud computing
CN108494552A (zh) 支持高效收敛密钥管理的云存储数据去重方法
Zhou Data security and integrity in cloud computing
Cao et al. Fuzzy Identity‐Based Ring Signature from Lattices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22796494

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023565325

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 18288379

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22796494

Country of ref document: EP

Kind code of ref document: A1